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Abstract 

As a replacement to the current Shuttle, the Ares I rocket and Orion crew module are currently under 
development by the National Aeronautics and Space Administration (NASA). This new launch vehicle is 
segmented into major elements, one of which is the Upper Stage (US). The US is further broken down 
into subsystems, one of which is the Thrust Vector Control (TVC) subsystem which gimbals the US 
rocket nozzle. Nominal and off-nominal simulations for the US TVC subsystem are needed in order to 
support the development of software used for control systems and diagnostics. In addition, a clear and 
complete understanding of the effect of off-nominal conditions on the vehicle flight dynamics is desired. 
To achieve these goals, a simulation of the US TVC subsystem combined with the Ares I vehicle as 
developed. This closed-loop dynamic model was created using Matlab’s Simulink and a modified version 
of a vehicle simulation, MAVERIC, which is currently used in the Ares I project and was developed by 
the Marshall Space Flight Center (MSFC). For this report, the effects on the flight trajectory of the Ares I 
vehicle are investigated after failures are injected into the US TVC subsystem. The comparisons of the 
off-nominal conditions observed in the US TVC subsystem with those of the Ares I vehicle flight 
dynamics are of particular interest. 


1.0 Introduction 

The National Aeronautics and Space Administration (NASA) has been given the mandate to replace 
the current Shuttle with a new launch system and crew vehicle. The technical and programmatic resources 
that are needed to achieve this goal are being carried out under NASA’s Constellation Program. The new 
Ares I launch vehicle and the Orion crew module, which rides on top of the Ares I, will take the place of 
the present Shuttle arrangement. There are primarily two missions that are targeted for the Ares I launch 
vehicle and Orion crew module. The first is to launch into low Earth orbit (LEO) for meeting with the 
International Space Station (ISS) and the second is to travel to the Moon. 

The Ares I Fault Detection Diagnosis and Response (FDDR) team has been formed to develop the 
necessary inputs and algorithms that support some of the safety systems that will be built into the Ares I 
vehicle. NASA document CxP 72244, Ares I Failure Detection, Notification, and Response (FDNR) 
System Definition Document (SDD), describes in detail the process of notification and mitigation of 
failure conditions that might occur on the Ares I vehicle. As an element of the Ares I vehicle, the Upper 
Stage (US) system is divided into subsystems, one of which is the Thrust Vector Control (TVC) 
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subsystem. This US subsystem is being managed and developed at the NASA Glenn Research Center 
(GRC), and the GRC FDDR team has been tasked with providing the technical input for the FDNR SDD 
as it pertains to the US TVC subsystem. Much of this input has been obtained from the US TVC subject 
matter experts, as well as from using the simulation model of the US TVC subsystem in order to 
investigate and determine the characteristics of nominal and off-nominal behavior. 

Dynamic models and the resulting simulation data provide essential tools that are used for system 
design, analysis and testing. In particular, when there are no experiment or flight data available, 
simulation data are necessary to support the development of algorithms for control and diagnostics. Since 
the dynamic models can be structured so that their outputs represent sensor data streams, they can be used 
as a virtual test bed in order to simulate the actual hardware system. In addition, the simulation 
environment provides an opportunity to implement failure scenarios that otherwise might be too costly or 
dangerous in a hardware test program. As a project matures and hardware test programs are advanced, 
data become available that can then be used to refine the dynamic models. It is anticipated that this cyclic 
process can continue as long as the flight vehicle is in service. 

In order to support the development of the items described in the preceding paragraph, the capabilities 
to perform nominal and off-nominal simulations for the US TVC subsystem are needed. In addition, 
determining the effects on the Ares I vehicle dynamics due to these off-nominal conditions are also 
desired. Therefore, an integrated simulation model of the US TVC subsystem with the Ares I vehicle 
simulation code was developed. This closed-loop dynamic model - which incoiporated a modified 
version of the MSFC developed vehicle code, Marshall Aerospace Vehicle Representation in C 
(MAVERIC) — was created using the Mathworks, Inc.’s Simulink modeling software. 

For this report, the effects on the flight trajectory of the Ares I vehicle due to failures in the US TVC 
subsystem are investigated. These failures include ones that might occur in the actuator components, as 
well as, those that might possibly occur in the commanded inputs received from the Guidance, Navigation 
and Control (GN&C) system. Note that this is a limited study that was conducted to support GRC FDDR 
US TVC goals and was funded by the US TVC Project. In addition, this work was not intended to 
duplicate or replace the off-nominal MAVERIC simulation studies that were and are continuing to be 
performed for the US program. 

The remainder of the paper is organized as follows. Section 2.0 provides a high-level overview of the 
Ares I vehicle, with somewhat detailed discussion of the US TVC subsystem. Section 3.0 provides an 
overview of the integrated simulation model including discussions of the MAVERIC vehicle simulation 
code, the US TVC subsystem model and the integration process. Section 4.0 describes the nominal and 
failure scenarios selected for analyses along with the simulation results from those modeled failure 
scenarios. Lastly, Section 5.0 provides a summary and conclusions. 

2.0 Ares I Vehicle Overview 

NASA’s Constellation Program has described the Ares I/Orion vehicle as replacing most of the 
Shuttle functions, while being capable of supporting future Moon missions. As such, Ares I has some 
technologies and components that are based on the heritage of the Shuttle. However, unlike the Shuttle, 
the crew’s exploration vehicle will sit on top of the integrated stack, as shown in Figure 1. In that figure, 
the Ares I major components are shown: the Orion Crew Exploration Vehicle, the US that includes the 
J-2X engine and the first stage that includes the 5-segment reusable solid rocket booster. It is not intended 
to give a complete overview of the Ares I program in this report; rather, a comprehensive report on the 
Ares I concept and architecture can be found in Reference 1. 
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Figure 1 . — Major elements of the Ares I vehicle. 
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Figure 2. — Ares I Upper Stage. 

The following sections briefly describe the US vehicle, the US TVC subsystem and a nominal 
mission profile. 


2.1 Upper Stage System 

The US system is used after the First Stage has separated from the Ares I vehicle, and it is required to 
finish the ascent portion of the flight trajectory. An artist’s rendering showing some of the major 
components of the US is shown in Figure 2. 

Basically, the US architecture consists of five main subsystems that are categorized as the following: 
structures and thermal, main propulsion, roll control and reaction control, thrust vector control and 
avionics. These subsystems work together to provide the necessary conditions for a successful mission; a 
detailed report on the Ares I US system can be found in Reference 2. The US program is managed by 
MSFC along with most of the subsystems. The US TVC subsystem is an exception to this, and it is being 
developed and managed by the NASA Glenn Research Center in Cleveland, Ohio. 
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2.2 Upper Stage Thrust Vector Control Subsystem 

The primary function of the US TVC subsystem is to control the direction of the J-2X engine thrust in 
order to maintain the vehicle on its commanded flight trajectory, based on the design requirements listed 
in Reference 3. Figure 3 illustrates the US TVC subsystem architecture. A description of its operation is 
contained in the TVC Operations Concept Document (Ref. 4). Note that the design is not finalized, but 
this is representative of the system as it was defined at the time this report was written. Moving across the 
diagram from right to left, the gaseous hydrogen that is provided by the main propulsion system enters 
and powers the turbine pump assembly (TP A) via the propellant valves. Once the TPA reaches full 
power, separate power strings of the hydraulic system transport the hydraulic fluid to the rock and tilt 
actuators so that they are ready to operate based on commands from the GN&C inputs. In the event of a 
supply pressure failure, either hydraulic circuit can power both actuators. The actuators are positioned 45° 
from the vehicle pitch axis and are labeled the rock and tilt actuators, respectively. The commanded 
stroke of the actuators has been limited to changing the thrust vector by a magnitude of 4° as per the 
requirements on the US TVC subsystem. 

The circulation motor pump shown in Figure 3 is used during pre-launch for thermal conditioning of 
the US TVC subsystem; it is not used during flight. For this report, pre-launch conditions are assumed to 
be nominal and have no adverse effects on the ascent phase of the powered flight when the US TVC is 
active. Hence, a model of the circulation motor pump is neither required for nor included in the system 
model. 


' Return Hydraulic Fluid 
Supply Hydraulic Fluid 
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Figure 4. — US TVC actuator assembly. 

As expected, the performance of the US TVC subsystem depends on all of its components 
functioning nominally. In particular, the nominal operation of the rock and tilt actuators is critical to 
having the US continue on the required flight trajectory that has been defined for its mission. As such, 
each failure case presented and described in this paper is related to the actuator assembly. Figure 4 shows 
a simplified schematic of the actuator assembly (reproduced from (Ref. 5)), and a complete description of 
its operation is provided in Reference 4. 

Referring to Figure 4, pressure is supplied from the hydraulic power circuit by the either the Primary 
Rock String or the Secondary Rock String via the selector valve to the three-channel servovalve. Each 
channel in the servovalve is controlled individually by one of the three torque motors shown above. 
Downstream from the servovalve, the power valve acts as a summing junction for the three flows out of 
the servovalve. The actuator is single fault tolerant; a failure in one channel is overcome by the other two 
channels in a passive voting arrangement. The selector valve is only used in the case of an off-nominal 
condition. If there is a drop in primary supply pressure, the selector valve moves so that both the rock and 
tilt actuators are powered by one hydraulic string. Likewise, during flight, the locking valve is only used 
during an off-nominal condition. If the supply pressure drops too low, the locking valve engages and 
holds the actuator in its current position. Note that the failure scenarios considered and described in this 
paper are related to failures in the servovalve or as command errors to the actuator. 

2.3 Nominal Mission 

The Ares I vehicle is designed for use on LEO and lunar missions. A typical mission profile is shown 
in Figure 5. 

The nominal timeline is being refined as performance requirements and system operation concepts are 
finalized. Referring to this timeline, for the simulation results presented in this report, the MAVERIC 
vehicle simulation starts at first stage ignition (launch) and continues until the Main Engine Cutoff 
(MECO) command. Failure scenarios are focused on the time period that starts when the US TVC 
subsystem is fully powered (3 sec after Main Engine Start Command) and ends with MECO. 
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Figure 5. — Ares I flight trajectory. 


3.0 Integrated Simulation Model 

The integrated Simulink model of the Ares I vehicle with the US TVC subsystem consists of an 
S-function of MAVERIC (version 3.1) and a dynamic model that represents the US TVC subsystem. The 
following sections of this report briefly describe the individual simulation models and the process 
followed to produce the integrated model that was used to perform the closed-loop simulations. 

3.1 Upper Stage TVC Simulation 

Figure 6 represents the Simulink model of the US TVC subsystem in an open-loop configuration. A 
complete description of this dynamic model is provided in Reference 5. In addition, simulation results 
were presented in Reference 5 from hydraulic leak failure scenarios that were computed using this open- 
loop configuration. In those cases, the rock and tilt commands to the actuators were provided from output 
data from a stand-alone version of MAVERIC in order to incorporate the GN&C data from the Ares I 
vehicle. Note that the actuator commands inputs are located inside the actuator blocks, which are not 
visible in the top-level diagram pictured in Figure 6. Descriptions for the simulation parameters shown in 
Figure 6 are given in Table 1. 
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TABLE 1.— DESCRIPTIONS FOR SYMBOLS IN US TVC SIMULINK MODEL 
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Figure 7 represents rock actuator as it is modeled in the US TVC subsystem simulation model. The 
command input to the rock actuator component is clearly identified in this lower-level diagram. 
Descriptions for the symbols shown in Figure 7 are provided in Table 2. 

The major components of the US TVC subsystem are modeled with enough fidelity to perform 
transient analyses. Although in reality the hardware mounted on the thrust cone will not be physically 
symmetrical, at the time of this report their precise layout is still being determined. Thus for ease of 
implementation, it is assumed that the rock and tilt components are installed symmetrically, which means 
that their associated line lengths and connections are the same. Therefore, the system dynamics for the 
rock and tilt string will be similar. 

Each string for the US TVC Simulink model consists of sub-models that include the TPA, hydraulic 
and actuator subsystems. Comparing the details of the schematic shown in Figure 3 with the block 
diagram shown in Figure 6, it can be seen that some of the components are not modeled. In particular, the 
locking valve and the selector valve for the tilt actuator are not included. Under nominal operation during 
flight, when the US TVC subsystem is active, these components should not be required. Their omission 
during an off-nominal condition would only be a problem if a failure first occurred in the tilt string, or a 
failure scenario required their operation. Due to the symmetrical modeling of the system, a failure in the 
rock string will have a similar effect as a failure in the tilt string. 



Figure 7. — Rock actuator subsystem Simulink model. 


TABLE 2.— DESCRIPTIONS FOR SYMBOLS IN ROCK ACTUATOR 
SUBSYSTEM SIMULINK MODEL 


Symbol 

Description 

Cmd 

GN&C command 

Vcmd 

Voltage command signal 

Xp 

Actuator position 

Pd 

Differential pressure 

Pr 

Return pressure 

Ps 

Supply pressure 

Qps 

Power spool flow 

Qact 

Actuator flow 
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3.2 Ares I Vehicle Simulation 


The MAVERIC simulation, developed at MSFC, is a software program that allows the modeling of 
generic aerospace vehicles with the option of three or six degrees-of- freedom. MAVERIC has been used 
to model and provide simulations for the following applications: Saturn V, a Shuttle- derived cargo 
vehicle, a Strategic Launch Initiative two-stage-to-orbit launch vehicle concept, an orbital space plane 
concept and the current crew exploration launch vehicle concepts. A complete description of the 
MAVERIC software and its use are available in the User’s Guide (Ref. 6). The purpose here is not to 
provide a comprehensive description of MAVERIC and its capabilities. Rather, a brief overview of the 
simulation is presented with emphasis on its use for this investigation. 

For this study, a MAVERIC-based six degree-of-freedom Ares I aerospace vehicle simulation is used. 
Currently, MAVERIC includes closed-loop ascent guidance, sensor models, inertial navigation and flight 
control that are specific to the Ares I vehicle. Those aforementioned details are provided in Reference 7. 
Further, the MAVERIC software program has been used extensively to conduct performance studies for 
the Ares I vehicle as reported in Reference 8. Hence, the MAVERIC model of the Ares I vehicle is a good 
candidate for integration with the US TVC subsystem model in order to perform the closed-loop 
simulation study. 


3.3 Integration Process 

According to the TVC Verification and Validation Plan, an objective of the US TVC project is to 
have all models and simulations compatible with the MATLAB (Mathworks Inc.) Simulink software 
package. This necessitated the conversion of the MAVERIC code into a MATLAB S-function so that it 
could be integrated with the US TVC subsystem dynamic model in Simulink. 

The procedure to integrate the MAVERIC simulation and the US TVC subsystem simulation was 
performed over several steps. The first step involved recompiling the MAVERIC source code into a new 
stand-alone executable so that simulation results could be compared between the new executable and the 
results from a validated version of MAVERIC. This was done to ensure that no errors were introduced 
into the new executable based on platform differences. The recompiling process also required obtaining 
and compiling the libraries for Global Reference Atmosphere Model (GRAM) and Global Upper Air 
Climatic Atlas (GUACA), which are required by MAVERIC. 

The next set of steps entailed the integration of the MAVERIC simulation into the Simulink 
environment. This involved the modification of the MAVERIC source code in order to enable the passing 
of variables between MAVERIC and the US TVC subsystem simulation. At this point, the modified 
MAVERIC source code was compiled only as object files to be used in the creation of the S-function. 
These object files in conjunction with the S-function wrapper are linked together to create the MAVERIC 
S-function. Once the MAVERIC S-function was built, it was used in a Simulink model with no 
connection between it and an actuator model to ensure that including them in the same Simulink model 
did not adversely affect the US TVC or MAVERIC models. After that, the actuator model and the 
MAVERIC S-function were connected together to form a closed-loop system. Integrating only the 
actuator portion of the US TVC simulation model decreased the complexity of the integration process. 
Once the integration was completed for this simplified model, the whole US TVC subsystem simulation 
model was incorporated. 

Listed below are the steps that were taken in the integration process. Note that the results from each 
step were verified using output from the original Ares I MAVERIC simulation. 

1. Obtained MAVERIC source code and comparison output results from MSFC. 

2. Compiled a new standalone executable code using the following source codes: MAVERIC, 
GRAM and GUACA. 


NASA/TM— 2010-216753 


9 



3. For integration purposes, modified the MAVERIC source code to enable passing of variables 
between the two simulations and created the MAVERIC S-function. Note that the GRAM and 
GUACA libraries are also linked in with the MAVERIC S-function. 

4. Built a Simulink model that contained the MAVERIC S-function and model of one of the US 
TVC actuators. 

5. Connected the MAVERIC S-function with a single copy of the US TVC actuator model. 

6. Connected the MAVERIC S-function with two copies of the US TVC actuator model in order to 
represent “rock” and “tilt” actuation functionality. 

7. Connected the MAVERIC S-function with the complete US TVC subsystem model. 

A Simulink block diagram is shown in Figure 8 that illustrates the connections between the two 
simulation models. At this top-level viewpoint of the simulation, the MAVERIC S-function, labeled 
“maveric_2Act” in Figure 8, is shown with its GN&C outputs connected as input commands to the US 
TVC simulation model. There are two parameter settings to the MAVERIC S-function, which select the 
mission trajectory. The parameters correlate to those used for all of the simulation results presented in this 
paper, which include the MAVERIC standalone simulation and the integrated closed-loop simulation. The 
US TVC simulation model, as shown in Figure 6, is represented as the “US TVC Subsystem” block in 
Figure 8. Therefore, in this closed-loop simulation model the MAVERIC S-function computes the GN&C 
inputs that are required based on the calculated actuator positions from the US TVC dynamic model. 

There are other simulation components shown that allow for the following: insertion of actuator command 
failures at specified simulation times, outputs of simulation results for comparisons and analyses and 
“scopes” that allow the real-time monitoring of selected simulation variables. 

For this simulation, Simulink is configured to use a variable time-step solver. This choice allows for 
smooth computation through each integration step, minimizing numerical difficulties, which might 
otherwise cause a fixed time-step solver to crash. In addition, a fixed-step solver cannot be used with the 
US TVC simulation, because the TPA component simulation, as delivered by a US TVC contractor, uses 
an S-function that requires a variable-step solver. However, the MAVERIC simulation uses a fixed time- 
step solver where the time-step is set to a value of 0.01 sec. This could possibly lead to issues when 
integrated with the US TVC subsystem simulation. For example, if the US TVC simulation was taking 
large time-steps, the transient response may not be accurate. However, during initial integration of the two 
simulations, it was seen that when the US TVC subsystem became active, the time-steps used in the 
solver were on the order of a magnitude smaller than the one used for MAVERIC — generally from 2.0 to 
3.5 ms. 

The integrated model calculates the new position of the actuators via the following steps: 

1. The US TVC Simulink model passes the actuator positions to MAVERIC; this is done through 
the feedback loop shown in Figure 8. 

2. MAVERIC compares the current Simulink timestamp to its own timestamp. 

3. If the Simulink timestamp is ahead of MAVERIC, then MAVERIC progresses to “catch up”. 

4. The new actuator commands from the MAVERIC GN&C data are passed to the US TVC model 
via the outputs from the S-function block labeled “maveric_2acf ’ shown in Figure 8. 

5. The US TVC model computes one time-step, and the new actuator positions are passed to 
MAVERIC via the feedback loop. The process is repeated until the end of the simulated mission. 

The flow diagram shown in Figure 9 represents the process outlined in the preceding steps. 
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As a way to check the reliability of the resulting simulation model, the nominal results from the 
standalone MAVERIC simulation and the integrated model were compared. Among the comparisons 
made were plots of vehicle altitude and the gimbal rock and tilt actuator positions. Shown in 
Figure 10 is a plot of the gimbal rock and tilt positions. The figure shows that the MAVERIC results from 
the standalone and the integrated models are in agreement for both rock and tilt actuator positions. 
Therefore, it was deemed the integration of MAVERIC with the US TVC subsystem model was 
accomplished. Similar analyses were completed for selected failures, and these are presented and 
discussed in the section for the Failure Scenarios, where again there is agreement for both rock and tilt 
actuator positions. 
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Figure 10. — Comparing MAVERIC output responses for standalone and integrated model. 
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4.0 Simulation Results for Nominal and Failure Scenarios 


The integrated model described in the preceding section was used to generate data under nominal and 
off-nominal conditions. The fault scenarios selected are those that pose the most risk. In this section, 
relevant failure scenarios and the nominal scenario are described and the simulation results presented. 

4.1 Nominal Scenario 

The nominal flight trajectory was selected from among the MAVERIC mission profiles that are 
included with the version 3.1 software release. The scenario is simulated for 600 sec-the duration of a 
typical trajectory for the selected mission. For the simulation results presented in this report, the nominal 
mission is described as a heavy/slow Ares I vehicle that will be launched into LEO for an ISS mission. At 
the time this work was being conducted, the Shuttle missions were focused on finishing the ISS; so, this 
was a suitable mission profile. For the integrated model, the MAVERIC S-Iunction and US TVC 
subsystem model start to communicate with each other at approximately 133 sec as this is the time at 
which the US TVC subsystem comes on-line. After this time, the positions of the rock and tilt actuators 
are passed to the MAVERIC S-fiinction and the GN&C commands passed to the US TVC Simulink 
model, as shown in Figure 9. 

Figure 1 1 shows the nominal responses for the rock command plotted with its respective position and 
the tilt command plotted with its respective position. The command and position responses are essentially 
identical, with the response lying on top of the command in Figure 11. The data have been shown from 
the time when the US TVC subsystem becomes active, at approximately 133 sec, to the J-2X main engine 
cutoff at 600 sec. It can be observed that the actuator output is always less than the limit of 4°; thus the 
Ares I requirement for limited actuator movement is met. The GN&C inputs to the rock and tilt actuators 
have their largest change in positions when the US TVC subsystem is first commanded at 133 sec, and 
they continue until approximately 175 sec. After that, the position responses of the rock and tilt actuators 
are relatively steady. Although towards the end of the flight trajectory, from about 350 sec and onward, 
the position trajectories gradually increase. The flight trajectory selected is not particularly demanding, 
but it is representative of an Ares I mission profile. Newer versions of the MAVERIC software have flight 
trajectories that put more demand on the actuation capabilities of the US TVC subsystem. However, for 
the simulation results presented in this report, the selected mission profile is suitable to illustrate the 
effects of the selected failure scenarios. 

4.2 Failure Scenarios 

Using the integrated model that was described in Section 3.0, failure conditions can be inserted in 
either the rock or tilt strings or both if multiple failures are being investigated. In general, the responses to 
a particular fault condition, whether implemented in the rock or tilt actuators, are very similar. This is due 
to the symmetrical modeling of the US TVC subsystem as has been previously noted. Because of this 
similarity, the fault scenarios presented in this paper are implemented only in the rock string. 

Additionally, the fault is set to occur at the start of the US TVC operation where the actuators must 
respond to large commanded inputs. A failure at this time will have a stronger impact on the system 
response; because, it occurs during a critical time for the performance of the US TVC subsystem. 

Table 3 lists the US TVC failure scenarios investigated for this paper. 
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Output (degrees) Output (degrees) 


Nominal Responses 




TABLE 3.— US TVC FAILURE SCENARIOS (FS) INVESTIGATED 


No. 

Description 

1 

Hard over failure in 1 -channel of the rock actuator servovalve 

2 

Hard over failure in 2-channels of the rock actuator servovalve 

3 

Zero current failure in 1 -channel of the rock actuator servovalve 

4 

Zero current failure in 2-channels of the rock actuator servovalve 

5 

Zero current failure in 3-channels of the rock actuator servovalve 

6 

Commanded hard over to rock actuator (4° input) 

7 

Commanded null position to rock actuator (0° input) 
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Next, the results and discussion are presented for each of these failure scenarios. Note that the results 
are shown for the time period of interest for operation of the US TVC system. Namely, the plotted 
simulation results start at approximately 132 sec and continue until the nominal mission ends at 600 sec 
or until the inserted failure causes an end to the mission trajectory. Also, the simulation results for the 
failure scenarios are designated by FS, which can be found in each figure that compares the nominal and 
failure scenario results. 

These failure scenarios do not take into account any recovery strategies that would most likely be in 
place as a result of fault detection, isolation and recovery (FDIR) algorithms for abort conditions that 
would be designed for the Ares I vehicle. Therefore, when a failure occurs, the integrated simulation 
continues to run with no mitigating actions taken. Therefore, results may occur from the failure insertions 
that would not otherwise be expected. 

4.2.1 FS No. 1 — Hard Over Failure in 1-Channel of the Rock Actuator Servovalve at t = 133 sec 

A hard over failure condition exists when an actuator is fully extended or fully contracted and does 
not respond to commands sent from GN&C. In other words, the US TVC does not have the capability to 
keep the US on its mission trajectory. As stated previously, the servovalve has three inputs (i.e., channels) 
that make up the pilot flow in each actuator; a failure in one of them has only a minor adverse effect on 
the ability of that particular actuator to function normally. This is because, the other two nominal channels 
of the servovalve can compensate for the failure in the third one. The purpose of this failure case is to 
verify this effect. The failure scenario is implemented in one channel of the rock actuator servovalve, 
which is shown in Figure 4. As expected, the US TVC subsystem is able to control the US and maintain 
the mission trajectory. Therefore, the responses for this failure scenario look very similar to the nominal 
ones. The impact of the failure can be seen in Figure 12 where the rock command is off-set to compensate 
for the one failed servovalve in the rock actuator. For these comparisons, the output responses are close to 
the nominal ones, because the GN&C system keeps modifying the rock actuator command until the 
desired trajectory is achieved. The results show that, with this failure, the nominal mission will be 
completed successfully due to the fact that the rock actuator assembly can be operated with one failed 
channel. 

4.2.2 FS No. 2 — Hard Over Failure in 2-Channels of the Rock Actuator Servovalve at t = 133 sec 

In order to have the rock actuator go into a hard over condition, there will need to be at least two 
faults in order to violate the single-fault tolerant design. Since, the US TVC cannot operate in a nominal 
manner with an actuator in a hard over position; it will not have the capability to keep the US on its 
mission trajectory under this failure condition. The objective of this failure scenario is to show that result, 
and it is implemented by having two channels of the servovalve fail so that the rock actuator is held in the 
fully extended position. In this case, the failure impacts the nominal trajectory in a severe manner. The 
US cannot be controlled using only the properly functioning tilt actuator. The altitude output responses 
shown in Figure 13 for the nominal and failure scenario do not start to diverge until about 150 sec. While 
this is a subjective measurement, it is adequate for the purpose of comparing the effect on the vehicle 
trajectory due to the hard over failure. Note that the position of the actuator has been limited to a 
magnitude of four degrees as per the requirements on the US TVC subsystem and shown in Figure 14. As 
the rock actuator moves to its maximum position, the rock command from the GN&C system 
compensates by sending inputs to move a -4°. Correspondingly, the GN&C inputs to the tilt actuator try 
to compensate for the rock actuator — the result of being 45° off axis — driving that actuator to its limit as 
well. The abrupt change in the position of the tilt actuator, as seen in Figure 14, could be due to the 
GN&C function reacting to the vehicle’s response to the hard over condition. 
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jre 12. — Comparing output responses for nominal and failure scenario (FS) one. 



Figure 13. — Comparing altitude responses for nominal and failure scenario two. 
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Figure 14 illustrates the sequence of events that occur. Looking at the tilt position, the impact from 
the hard over failure in the rock actuator is evident at around 138 sec, which is when the nominal and 
failure trajectories start to significantly deviate. This is still a qualitative measurement of when the fault 
would manifest itself in the sensor data, because the tilt position is still in the range of nominal behavior. 
When the delta in the altitude responses between the nominal and failure scenario is plotted, the deviation 
between the two is also seen to start at approximately 138 sec. From a performance point of view, this 
simulation shows that the Ares I vehicle will not meet its trajectory target with two servovalve failures 
that result in a hard over condition in the US TVC actuator subsystem. In this case, the integrated 
simulation has a numerical instability and stops at approximately 170 sec. 

Previously in Figure 10, it was shown under nominal conditions the MAVERIC-integrated model 
performed the same as the standalone simulation. Similarly, the performance of the integrated model 
under a failure condition was also investigated in order to demonstrate a successful integration process. 

The process for inserting the hard over failure into the MAVERIC standalone simulation was 
constrained by the rules imposed by the code and was different than for the integrated model. Despite 
these differences, the fault input was reasonably replicated. In the first plot of Figure 15, the rock 
positions illustrate the effect from the hard over failure where both positions are driven to 4°, which is a 
hard over condition. In the second plot of the same figure, minor differences in the tilt positions can be 
seen at approximately 145 sec where the peaks in the responses are slightly offset. Concerns about 
discontinuities in the tilt position response from the integrated model are also in the tilt position response 
from the standalone simulation. Therefore, these discontinuities are not due to the integration process. 
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Figure 14. — Comparing output responses for nominal and failure scenario two. 
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Figure 15. — Comparing MAVERIC output responses for standalone and integrated model. 

4.2.3 FS No. 3 — Zero Current Failure in 1-Channel of the Rock Actuator Servovalve at t = 133 sec 

When the actuator is moving, each torque motor contributes to the overall movement of its associated 
actuator. If there is no current through the torque motor, there is no contribution from that particular 
channel. The purpose of this failure scenario is to confirm that the actuator can still nominally perform its 
function with the loss of one torque motor. This failure scenario is implemented in one channel of the 
rock actuator servovalve. As expected, losing one of the torque motors (i.e., no current) in the servovalve 
has no adverse impact on the ability of the Ares I vehicle to meet its mission trajectory. In general, the 
output responses for the failure scenario are very similar to the nominal ones for the variables that have 
been previously shown. Consequently, they are not shown here. Because the responses are similar, the 
fact that a failure has occurred in the rock actuator servovalve will not be readily observed in the sensor 
data for the rock and tilt position measurements. However, there is a sensor embedded in the actuator 
assembly that monitors the torque motor current, and that signal can be used to provide indication that 
there is a problem with the torque motor since torque motor current should not be zero when the 
associated actuator is moving. Although the failure has not caused a severe impact to the Ares I mission, 
awareness of the loss of redundancy during flight is desirable both for onboard operation and post-flight 
analyses. 
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4.2.4 FS No. 4 — Zero Current Failure in 2-Channels of the Rock Actuator Servovalve at t = 133 sec 

This failure scenario is the similar to the previous one, except that now there are two channels in the 
rock actuator servovalve with no current through them. The overall simulation results are not 
substantially different from the previous failure scenario which, in turn, is similar to the nominal case. 
Using similar reasons as in the preceding example, indication of this fault condition would need to be 
observed in something other than the actuator position measurement. As before, although the simulation 
results do not indicate a severe impact to the Ares I mission, it would still be beneficial to know that there 
has been a failure in the rock actuator subsystem. 

4.2.5 FS No. 5 — Zero Current Failure in 3-Channels of the Rock Actuator Servovalve at t = 133 sec 

If each channel of the actuator servovalve has a failed torque motor, the actuator will not move. The 
results from this study indicate that at least one working torque motor is required for the actuator to 
operate. The goal of this failure scenario is to demonstrate that the actuator cannot nominally perform its 
function with the loss of all three torque motors, and this failure scenario is set up with all three channels 
of the rock actuator servovalve concurrently having a zero current failure. Evidence of the diversion 
between the altitude responses between the nominal and failure scenario occurs at approximately 1 60 sec, 
as seen in Figure 16. The first plot of Figure 17 clearly indicates an off-nominal situation at the time of 
the insertion of the fault, because the rock actuator is not moving. In spite of the fact that the rock actuator 
is nonresponsive, using only the tilt actuator, the controller is able to maintain the desired trajectory up to 
about 160 sec. At this point, the controller can no longer maintain the desired trajectory using only the tilt 
actuator. For most of the trajectory, the responses for the tilt actuator command and position are well 
within the maximum allowable range, but their actual magnitude and transient responses are very 
different from the nominal ones. The error between the nominal and failure scenario is obvious in the 
second plot of Figure 17. Eventually, the tilt actuator position goes into a hard over condition, which is 
indicated in Figure 17 at approximately 325 sec. 

If only the allowable limits on the actuator position are being used, these results show that those 
measurements may not clearly indicate that there is an off-nominal condition. However, using the error 
between the commanded position and the actual position will provide an earlier indication that there is a 
problem; because, the rock actuator is not responding to inputs from GN&C. An earlier indication is 
desired, because it provides more time for remediation of the failure. In addition, as noted before, using 
the measurements for the torque motor current sensors will also provide an earlier indication that there is 
problem. Since, under nominal conditions the rock actuator should be responding, which mean that the 
torque motors should have measurable currents. In this failure scenario, the currents are zero, and it can 
be inferred that there is a problem. 

As done before with the hard over failure, a comparison between the MAVERIC standalone 
simulation and the integrated model under a null condition failure (i.e., zero current) was also investigated 
in order to demonstrate a successful integration process. 
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Zero Current in 3-Channels of Rock Actuator at 133 Seconds 



Figure 16. — Comparing altitude responses for nominal and failure scenario five. 
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Figure 17. — Comparing output responses for nominal and failure scenario five. 
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Figure 18. — Comparing MAVERIC output responses for standalone and integrated model. 


The null failure was inserted into the MAVERIC standalone simulation in the same manner as was 
for the hard over scenario. However, in this case the failure is easily repeated because for the null 
condition the actuator remains at rest. In Figure 18, the output responses show good agreement, and once 
again there were no problems indicated with the integration process for the failure scenario investigated. 

4.2.6 FS No. 6 — Commanded Hard Over to Rock Actuator at t = 133 sec 

As noted in previous failure scenarios, a hard over condition is the result of the actuator going into a 
fully extended or fully contracted position. As shown in the second failure scenario, this can be the result 
of a hardware failure. In addition, it can also be the result of an error in the input command to the actuator 
for instance, with a software error being one possible cause. The reason for this failure scenario is to 
demonstrate the effects of a command input error; for this example, an erroneous command of 4° is sent 
to the rock actuator that results in a hard over condition. This failure scenario was also included to 
illustrate the functionality of the integrated model, and its ability to model failures in the command inputs. 
As presented in Figure 19, the effect on the trajectory of the altitude response is similar to the second 
failure scenario where there was a double failure in the servovalve subsystem of the rock actuator 
assembly, which resulted in a hard over condition. Fooking at the first plot in Figure 20, the rock position 
moves to its maximum value of 4° as commanded. As a result, the commands sent to the tilt actuator try 
to compensate for the rock actuator where eventually the tilt actuator is driven to its limit as well. As 
illustrated by the off-nominal response in the altitude trajectory, the US cannot be controlled with just the 
tilt actuator. 

It is important to note that failures resulting from different causes can have similar effects on the 
system. Ares I will require diagnostic systems to detect the root cause of these failures and to isolate the 
failure to a specific component or subsystem. 
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Figure 19. — Comparing altitude responses for nominal and failure scenario six. 


Commanded Hard Over to Rock Actuator at 133 Seconds 




Figure 20. — Comparing output responses for nominal and failure scenario six. 
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4.2.7 FS No. 7 — Commanded Null Position to Rock Actuator at t = 133 sec 

This failure scenario is also the implementation of a command input error. The motivation for this 
case is to have an erroneous command that places the rock actuator at the null position, which is at 0°. In 
other words, there are no commanded deflections in the rock actuator position. The fault insertion occurs 
at 133 sec — the beginning of US TVC operation. Divergence in the altitude response between the nominal 
and failure scenario occurs at approximately 160 sec, as seen in Figure 21. In the first plot of Figure 22, 
the rock actuator position clearly indicates an off-nominal situation at time of the insertion of the fault. 
While the tilt actuator position is within its nominal range of 4°, the error between the nominal and failure 
scenario is obvious in the second plot of Figure 22. Eventually, the tilt actuator position goes into a hard 
over condition at approximately 325 sec. Note that the response for this failure is similar to that for failure 
scenario five. So once again, it can be seen that it becomes important to use information other than that 
provided from the trajectory error to properly isolate the cause of failure. 


Commanded Null Position to Rock Actuator at 133 Seconds 



Figure 21. — Comparing altitude responses for nominal and failure scenario seven. 
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Commanded Null Position to Rock Actuator at 133 Seconds 
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Figure 22. — Comparing output responses for nominal and failure scenario seven. 


5.0 Summary and Conclusions 

Modeling and simulation provide a means to carry out not only performance analyses that help to 
define the system architecture, but they also provide the needed resources to investigate off-nominal 
conditions early in the design phase. This facilitates the development of the software that implements the 
control systems and diagnostics used by the vehicle. Although, it can be argued that a system’s 
architecture can change significantly during the early stages of a program, it is usually more difficult and 
expensive to change hardware late in the production phase or afterwards when the vehicle is already in 
use. It is expected that an investment in modeling, simulation and analysis tools early in the program will 
provide benefits that include improved safety margins, greater system reliability and reduced maintenance 
costs. In addition, a hardware-based test program would be expensive to build and implement; therefore, 
the virtual test bed environment that these models and simulations provide is ideal for the development of 
controls and diagnostics software. 

The simulation results for nominal flight and several failure scenarios have been presented for the 
Ares I US TVC subsystem. These were produced by a model that integrated two simulation models that 
represent the US TVC subsystem and the Ares I vehicle. There were a total of seven failure scenarios for 
which simulation results were shown. Failure scenarios were implemented to ensure the worst possible 
effect on the vehicle trajectory. Hence, failures were inserted at the beginning of the mission profile at 
133 sec when the US TVC subsystem is required to deliver most of its thrust vectoring control. Other 
scenarios were investigated, which varied the fault insertion time. However, the general response of the 
system was similar for each type of failure. For example, in case of a hard over condition, the system was 
unable to meet the mission trajectory even if the failure condition was inserted at the end of the mission 
profile. 
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The closed-loop simulation was built in MATLAB Simulink, which contributed to the ease of 
modeling and testing the failure scenarios. The major components of the US TVC subsystem are 
accessible for modeling failure scenarios that otherwise would not be possible with a model that does not 
have the same fidelity. In this case, the original MAVERIC simulation does have a model for the US 
TVC, but it is not as detailed as the one used here. In order to predict how US TVC failures might impact 
the mission, a model that is based on system requirements, such as the one used here, might provide more 
confidence in the conclusions drawn from the simulation results. 

During preliminary discussions with simulation designers, who are themselves MAVERIC users, it 
was suggested we use an integration step size of 0.01 sec for all simulations using MAVERIC. As 
mentioned before, the Simulink US TVC Actuator subsystem model required the integration step size be 
variable and could vary to several orders of magnitude below 0.01 sec. During the review of the 
MAVERIC integrated simulation results, the disparity between the two integration step sizes was 
questioned. While not affecting the results in this paper, previous modeling experience suggests that the 
MAVERIC integration step size should be reduced to at least 0.001 sec to more closely match the step 
size used by the Simulink US TVC subsystem simulation. Engineers, using MAVERIC for Ares I abort 
condition analysis, used an integration step size of 0.005 sec, so reducing the step size to 0.001 sec would 
be reasonable. 

The MAVERIC simulation breaks down a simulation into calls to various launch vehicle related 
modules such as the GN&C system, the Flight Control System, Propellant Utilization, the Actuators or 
the Reaction Control System. MAVERIC also allows users to code their own versions of these modules 
and incoiporate them as plugins. In retrospect, this is the integration path that could have been employed 
since it would have: 

• Aligned with a ‘top down’ design of the integration, i.e., the US TVC subsystem model would 
have been a subset of models available to MAVERIC. 

• Eliminated issues compiling and linking MAVERIC source into the S-function. 

• Allowed easier integration with later versions of MAVERIC. 

MAVERIC is such a complex simulation that a longer, more detailed review of its capabilities should 
have been made. For example, MAVERIC has several input files with many input variables, some of 
which can affect or override each other. While the scope of this task did not call for developing an 
expertise in MAVERIC, a better knowledge of its capabilities and input structure would have been 
beneficial during the execution of simulations, which were made for comparing failure scenario results 
from the MAVERIC standalone simulation and the integrated model. 
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